- What can you expect to get from the APIs
- Getting Started with the Reputation Service API
- Swagger - for easy API usage and reference
- How to generate an authentication token?
- The services APIs
- Response
Leverage Check Point’s threat intelligence to enrich your SIEM and SOAR solutions, and secure your business applications and websites using simple RESTful APIs.
Check Point's Reputation Service API offers the following capabilities:
- URL Reputation - Returns the classification and associated risk of accessing a given domain or URL.
- File Reputation - Returns the risk level of downloading a file based on its hash (MD5/SHA1/SHA256).
- IP Reputation - Returns the classification and associated risk of accessing a resource hosted on a given IP address.
An important field from the response is the assessed risk of accessing the queried resource. Each risk (0-100) is accompanied with the Confidence and the Severity, and our Recommended Action.
Risk Threshold Guide
| Risk Range | Description | Confidence | Severity | Recommended Action |
|---|---|---|---|---|
| Risk=0 | Indications of a legit website. | High | N/A | Allow list |
| Risk=34 | The service couldn't classify the domain. not enough data for this resource. | Low/Medium/High | Low/Medium | N/A |
| Risk=50 | Anonymizers, hosting and parked websites, Unknown files. | Medium/High | Medium | N/A |
| Risk=64 | Browsing to the resource should be done with extra caution. | Low | High/Critical | Caution |
| Risk=80 | There are circumstantial evidences that ties the resource to malicious activity. | Medium | High/Critical | Block |
| Risk=100 | Known malicious resource by at least one trusted vendors. | High | High/Critical | Block |
Further context details like Classification, Categories, Popularity and more can be found in the full json Response. Expect different fields corresponding to the service type you choose (URL / IP / FILE).
To get started with the APIs, please contact us.
We will provide you with a trial API key along with a daily quota. If you exceed your quota, the API will return a 429 (Too Many Requests) status code.
Check out our Swagger UI to easily explore and use the API.
Authentication to the reputation service is aquired using a token generated by the rep-auth service.
- The token expires after one week, to renew the authentication - send a new token request.
- A token should look like this:
exp=1578566241~acl=/*~hmac=95add7c04faa2e7831b451fd45503e4a2ac0598c7e84a5ace7dd611d7b483e5f
To generate a token, send an HTTPS GET request to the following endpoint: https://rep.checkpoint.com/rep-auth/service/v1.0/request
- Include the Client-Key header with your trial API key in your request.
- If the header is missing or invalid, the server will respond with an HTTP 401 Unauthorized status code.
How do I know that the token has expired?
If your token has expired, the service will respond with an HTTP 403 Forbidden status code.
Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/url-rep/service/v3.0/query?resource={url}
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
Request body, use JSON format:
{
"request": [{
"resource": "{url}"
}]
}| Parameter Name | Type | is Optional | Description |
|---|---|---|---|
| resource | String | No | the URL to query about |
| Classification | Description | Severity |
|---|---|---|
| Adware | A website that operates in legal gray areas by collecting users’ private data without clear consent, displaying unwanted or intrusive content (such as pop-up ads), or embedding sub-applications that initiate unsolicited downloads. Visit Checkpoint's blog: "What is Adware?" for further education | Low |
| Volatile Website | A website that contains malicious software, for example: hacking websites. | Medium |
| Benign | A legit website, which don't serve any malicious purpose. | N/A |
| CnC Server | A C&C server is used by attackers to issue commands to, and receive data from, malware-infected devices (also known as bots or zombies). | Critical |
| Compromised Website | A Legit website that was hacked and now serves a malicious purpose. | High |
| Phishing | A website that attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity, like a known company. Learn more at Phishing Attacks. How does it work? | High |
| Infecting Website | A website that may infect it’s visitors with malware. | High |
| Infecting URL | A URL that may infect it’s visitors with malware. | High |
| Web Hosting | A service that rents out server space to make websites accessible on the internet. | Medium |
| File Hosting | A service that rents out server space to make files accessible on the internet. | Medium |
| Parked | A website with no original content, often displaying ads. | Medium |
| Spam | The url is used for spam. | High |
| Cryptominer | The url is used for cryptomining. | High |
| Web Service | The URL is part of a platform (Email/Marketing platform for example). | High |
| Malicious | Malicious websites, which serve for malicious purposes. | High |
| Unclassified | The service couldn't classify the domain. there is not enough data about this resource. | N/A |
Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/file-rep/service/v3.0/query?resource={file-hash}
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{file-hash}"
}]
}| Parameter Name | Type | Is Optional | Description |
|---|---|---|---|
| resource | String | No | SHA256 / MD5 / SHA1 of the file to query |
| Classification | Description | Severity |
|---|---|---|
| Unclassified | The service couldn't classify the hash. there is not enough data about this hash. | N/A |
| Adware | Adware is a form of software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge or redirects search requests to advertising websites. | Low |
| Riskware | Riskware are legitimate programs that can cause damage when exploited by malicious users – in order to delete, block, modify, or copy data, and disrupt the performance of computers or networks. | Medium |
| Malware | A malicious file that can harm computers or networks. | High |
| Benign | A legitimate file safe to run or process. | Medium |
| Unknown | The service has never seen this file before. | N/A |
| Spam | The file is used for spam. | High |
| Cryptominer | The file is used for cryptomining. | High |
| Phishing | File that attempt to obtain sensitive information such as usernames, passwords, and credit card details. | High |
Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/ip-rep/service/v3.0/query?resource={ip}
Request headers:
- "Client-Key": Your trial API key.
- "token": the token you have received from the rep-auth service.
request body, use JSON format:
{
"request": [{
"resource": "{ip}"
}]
}| Parameter Name | Type | Is Optional | Description |
|---|---|---|---|
| resource | String | No | The IP to query |
| Classification | Description | Severity |
|---|---|---|
| Unclassified | The service couldn't classify the IP. there is not enough data about this IP. | N/A |
| Adware | The IP's domains are operating in the gray areas of the law collecting private data on the users and display unwanted content. | Low |
| Volatile | The IP's domains contain malicious software, for example hacking websites. | Medium |
| Benign | A legit IP, which doesn't serve any malicious purpose. | N/A |
| CnC Server | A Command and Control server used for cummunicating with malware. | Critical |
| Compromised Server | A legit IP that was hacked and now serves a malicious purpose. | High |
| Phishing | The IP's domains attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity like a known company. | High |
| Infection Source | The IP's domains may infect its visitors with malware. | High |
| Web Hosting | The IP's domains allow to rent server space to make websites accessible on the internet. | Medium |
| File Hosting | The IP's domains allow to renter server space to make files accessible on the internet. | Medium |
| Parked | The IP's domains permanently do not have content. it may contain advertising content on pages that have been registered but do not yet have original content. | Medium |
| Scanner | The IP is a known internet scanner. | Medium |
| Anonymiser | The IP is a known TOR anonymity internet. | Medium |
| Cryptominer | The IP's domains are used for cryptomining. | High |
| Spam | The IP's domains are used for spam. | High |
| Compromised Host | The IP belongs to a website which was hacked. | Medium |
| Attribute Name | Type | Description | Inner Attribute | Inner Attribute Description |
|---|---|---|---|---|
| status | Object | Reflect the application status |
|
code: 2001 code: 2006 |
| resource | String | The URL from the request | ||
| reputation | Object | Reputation meta-data | classification | |
| severity | The severity of the classification. Possible values:
|
|||
| confidence | How much the service is confident with the reputation response.
|
| HTTP Response Code | Description |
|---|---|
| 200 | OK |
| 400 | Bad request - either the resource is not valid or the request parameter doesn't match the resource in the request body |
| 401 | Bad or missing "Client-Key" header |
| 403 | Bad or missing "token" header |